Update `1.x` Critical Vulnerabilities #5547

spacesailor24 · 2022-10-19T01:15:31Z

7 critical vulnerabilities were reported after the changes in #5529

# npm audit report

ansi-regex  4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/ansi-regex

elliptic  <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/elliptic

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install karma-browserify@8.1.0, which is a breaking change
node_modules/watchify/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchify/node_modules/chokidar
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchify  3.0.0 - 3.11.1
    Depends on vulnerable versions of chokidar
    node_modules/watchify
      karma-browserify  4.1.0 - 8.0.0
      Depends on vulnerable versions of watchify
      node_modules/karma-browserify
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

parse-path  <5.0.0
Severity: high
Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4
fix available via `npm audit fix --force`
Will install lerna@6.0.0, which is a breaking change
node_modules/parse-path
  parse-url  <=8.0.0
  Depends on vulnerable versions of parse-path
  node_modules/parse-url
    git-up  <=6.0.0
    Depends on vulnerable versions of parse-url
    node_modules/git-up
      git-url-parse  4.0.0 - 12.0.0
      Depends on vulnerable versions of git-up
      node_modules/git-url-parse
        @lerna/github-client  <=5.5.1
        Depends on vulnerable versions of git-url-parse
        node_modules/@lerna/github-client
          @lerna/version  3.11.0 - 5.5.1 || 5.5.3
          Depends on vulnerable versions of @lerna/github-client
          node_modules/@lerna/version
            @lerna/publish  3.11.0 - 5.5.1 || 5.5.3
            Depends on vulnerable versions of @lerna/version
            node_modules/@lerna/publish
            lerna  3.11.0 - 5.5.1
            Depends on vulnerable versions of @lerna/version
            node_modules/lerna

parse-url  <=8.0.0
Severity: critical
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url  - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
Depends on vulnerable versions of parse-path
fix available via `npm audit fix --force`
Will install lerna@6.0.0, which is a breaking change
node_modules/parse-url
  git-up  <=6.0.0
  Depends on vulnerable versions of parse-url
  node_modules/git-up
    git-url-parse  4.0.0 - 12.0.0
    Depends on vulnerable versions of git-up
    node_modules/git-url-parse
      @lerna/github-client  <=5.5.1
      Depends on vulnerable versions of git-url-parse
      node_modules/@lerna/github-client
        @lerna/version  3.11.0 - 5.5.1 || 5.5.3
        Depends on vulnerable versions of @lerna/github-client
        node_modules/@lerna/version
          @lerna/publish  3.11.0 - 5.5.1 || 5.5.3
          Depends on vulnerable versions of @lerna/version
          node_modules/@lerna/publish
          lerna  3.11.0 - 5.5.1
          Depends on vulnerable versions of @lerna/version
          node_modules/lerna

y18n  4.0.0
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/y18n

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/solc/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/solc/node_modules/yargs
    solc  0.3.6 - 0.4.26
    Depends on vulnerable versions of yargs
    node_modules/solc
      @ensdomains/ens  *
      Depends on vulnerable versions of solc
      node_modules/@ensdomains/ens

22 vulnerabilities (5 moderate, 10 high, 7 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

jdevcs · 2022-11-17T15:00:47Z

Mostly these libs are used in dev only so should be discussed and updated under:
#5629
#5630

jdevcs · 2022-11-17T17:17:05Z

closing this issue as it will be tracked under above mentioned,

spacesailor24 added 1.x 1.0 related issues dependencies Updates dependency labels Oct 19, 2022

mpetrunic mentioned this issue Nov 1, 2022

Release/4.0.1 alpha.1 #5580

Merged

jdevcs self-assigned this Nov 15, 2022

jdevcs closed this as completed Nov 17, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update `1.x` Critical Vulnerabilities #5547

Update `1.x` Critical Vulnerabilities #5547

spacesailor24 commented Oct 19, 2022

jdevcs commented Nov 17, 2022

jdevcs commented Nov 17, 2022

Update 1.x Critical Vulnerabilities #5547

Update 1.x Critical Vulnerabilities #5547

Comments

spacesailor24 commented Oct 19, 2022

jdevcs commented Nov 17, 2022

jdevcs commented Nov 17, 2022

Update `1.x` Critical Vulnerabilities #5547

Update `1.x` Critical Vulnerabilities #5547